© Copyright 2015
Agenda
• Who are LSC Group, who am I?
• What is risk and why should it be managed?
• The traditional approach to risk management
• How does enterprise risk management differs?
• Added functions of enterprise risk management
• Enterprise risk case studies
• What value does enterprise risk management add?
• Key enablers for implementing an enterprise risk function
• Summary and Questions
© Copyright 2015
About us
… enabling better decisions
LSC is an Engineering Consultancy and Technology Company
We work closely with our clients to help inform decisions
170 people across 3 key locations and numerous customer sites
Working with asset intensive and mission critical industries
including Defence, Energy, Rail, Infrastructure
© Copyright 2015
Annual turnover over
£18m
Offices in Lichfield and
Bristol
ISO 20000:2011 certificated adopting the best practice ITIL
standard
Employing a workforce of
c.170 skilled
personnel
Certificated to
ISO 9001:2008 & TickIT standards,
ensuring every project is of the highest quality
Order book
circa
£12 billion
Enabling better decisions for over
25 years
Established
in1988
Part of
Babcock International Group
About us
© Copyright 2015
Multiple stakeholders Long lifecycles
Highly regulated environments
Sensitive Information
Complex assets Order book
circa
£12 billion
Big Data, Information Rich
Sharing and
Collaboration
Affordability, Availability
and Performance
Our customers
© Copyright 2015
Consultancy Services Solutions
Collaborative Solutions – ensuring the information and processes our customers need are securely shared, better organised and available at the point of need
Management Services – supporting and delivering critical projects and programmes, managing risk and providing assurance and governance
our business
Lifecycle Engineering – managing and supporting assets, ensuring they are available and affordable through life
Information & Knowledge Management – delivering confidence in the quality and assurance of our customers’ information
Visualisation Solutions – advanced solutions that work with the growing big data challenge, and more information systems to support more informed decision making
Data Analytic Solutions - helping our customers to work smarter and make better decisions
© Copyright 2015
Who am I?
• David O’Regan
• Risk Management Consultant
• Background
– Career in law
– Moved to Risk Management 2 years ago
– Have worked in finance, energy, legal & project
risk management
– Currently working as part of a PMO for a multi-
billion pound MoD project
– Main belief, enterprise risk management is the
key to the successful management of risk
© Copyright 2015
What is risk?
• Definitions
• ‘A chance or possibility of danger, loss, injury, or other
adverse consequences’ (Oxford English Dictionary)
• ‘Risk is the combination of the probability of an event and its
consequence. Consequences can range from positive to
negative’ (Institute of Risk Management)
• ‘The potential of an action or event to impact on the
achievement of objects’ (APM)
• Key point – definition appropriate for you: simple & effective
© Copyright 2015
Why should risks be managed?
• Ensures compliance with laws and regulations
• Provides awareness of problems and opportunities that could
arise during a project
• Allows responses to be planned in advance
• Improves both the speed and quality of the responses that can be
made
• Increases the probability of your projects being successful
© Copyright 2015
How has risk traditionally been
managed?
• Began being practiced in projects c.1960
• In project management it has developed from the bottom-up
• Seen as the project managers responsibility
• Risk managed on an individual basis
• Little or no centralised function or senior responsibility
– Level of oversight dependent on programme/exec level desire
© Copyright 2015
The traditional risk management
process
Establish the Context
Risk Assessment
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
© Copyright 2015
Limitations of the traditional approach?
• Company/Programme
– No centralised view of what risk is or how it should be managed
– Creates an inconsistent approach to risk management, individual bias
– Lacks formal oversight of how risk is being managed
– Related risks unlikely to be managed together
• Projects
– Don’t always get the support they need to manage risks
– Risk not always managed by the right people
– Risk becomes managed in a bubble
• Risk Management becomes a static un-evolving discipline
© Copyright 2015
How does an enterprise approach to risk
management differ?
• Not different from traditional approach to risk but supplementary
• Holistic view of the management of risk, which takes into
account the wider business context
• Integrates the management of risk so that all risk functions
operate as one
• Looks at the interconnectivity of risks across projects
• Ensures risks are managed in the right way by the right people
• Addresses the limitations of the traditional approach
© Copyright 2015
ISO 31000 Risk Management Process
Establish the Context
Risk Assessment
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment Consult &
Com
munic
ate
Mon
ito
r &
Re
vie
w
© Copyright 2015
Consult
• Explore the context within which the business/programme
operates
– External & Internal
• Understand your stakeholders
• Develop a strategy, plan and objectives for risk management
– What do you want risk management to achieve, how will the
success of this be measured?
• Key point
– Understanding the wider context is key to successful risk
management
© Copyright 2015
Communicate
• Communication plan
– Which stakeholders need risk information?
– What information do people need?
– How will risk information be transferred?
– When do people need to get risk information?
• Create a structure for communicating the risk strategy
• Common language and terminology
• Key point
– Good information flow vital for successful risk management
© Copyright 2015
Monitor
• Risk information system or excel
• Who will the risk information go to? Roles, responsibilities and
reporting structures need to be created
• What are you going to monitor / report on?
– Size and type of risk, near term / long term, internal and external?
• How often will risk be reported on?
• How will issues be managed and lessons learned?
© Copyright 2015
Review
• How do you know if your risk management function is working
optimally?
• By having definable objectives against which the success of risk
management can be measured
– E.g. response times, unexpected risk events, activeness of risk
activities
• Has the risk landscape changed, has your organisations context
changed?
• Key point
– Risk management should be an evolving and dynamic practice
© Copyright 2015
Case Studies
• We will now look at how a number risk
situations could affect a fictitious
programme of works
• The fictional programme will be called
the ABC Programme
• I will present 4 potential risk scenarios
• I will then show the consequences of
these if
– A, ABC Programme had a traditional
risk function
– B, ABC Programme had an enterprise
wide risk function
© Copyright 2015
Case study 1 – Increasing risk
The situation
• ABC Programme has a project that
requires a specialist piece of technology
• The capability to manufacture this
technology only existed within 2
companies
• The company that our project was to
use has recently gone into
administration
• This has increase the risk that the
project will not be able to obtain the
required tech within time and/or to
budget
© Copyright 2015
Response – traditional risk function
• Noticed but not formally assessed?
• Full appreciate the gravity of the risk?
• Understand effect on wider business?
• Communicated the risk to the wider business?
• Change the response strategy?
© Copyright 2015
Response – enterprise risk function
• The increase assessed early and in line with the overall risk
strategy
• Proportionate response
• Individual project assurance
• Programme managers would be highlighted to the risk early
• Addition resource provided if necessary
© Copyright 2015
Case study 2 – foreign import risks
The situation
• The ABC Programme has a project
that needs to procure a large amount
of metal components
• The components are not
manufactured in the UK
• The metal components will be needed
to be procured every 6 months over
the next few years
• There are risks that the exchange rate
and import costs could fluctuate
© Copyright 2015
Response – traditional risk function
• The risk may not be identified as it is something out of the
project’s control
• If the risk were identified and an assessment of the level of risk
was made it may not be fully understood
• The project is very unlikely to have the expertise to manage
these risks by themselves
• This will leave the success of the project open to chance
© Copyright 2015
Response – enterprise risk function
• An enterprise wide function should have processes in place to
identify programme wide risks
• The responsibility for controlling these risks should be removed
from the project and placed within the team(s) with the
necessary expertise, e.g. finance and commercial
• Regular communications and reports allow the project manager
to remain aware of the risk and how it is managed, but frees
them up to focus on controlling their controllables
© Copyright 2015
Case study 3 – risk issues
The situation
• The ABC Programme has incurred a
100% increase in the number of fines
received from their regulator in the
past year
• The fines relate to a number of
different issues ranging from health
and safety to security breaches
• The fines are across a number of
different unconnected projects across
the programme
• The individual fines not significant
© Copyright 2015
Response – traditional risk function
• Unlikely to have an issues management capability.
• Unlikely to see or manage their connectivity.
• Response would be disjointed.
• Could lead to an increase in issues and/or inappropriate
responses.
© Copyright 2015
Response – enterprise risk function
• Key Risk Indicators to identify emerging issues.
• The root cause investigation.
• Response strategy defined with roles / responsibilities.
• Expertise could be drawn from across the business.
• Periodic reviews and lessons learned.
© Copyright 2015
Case study 4 – risk support
The situation
• ABC Programme’s parent company has
recently received bad financial figures for
the previous year
• As a result the ABC Programme has been
informed that they need to make operational
savings for the next financial year of 10%
• ABC Programme want to make the savings
without affecting the health and safety of the
workers
• ABC would also like to make the savings
whilst keeping schedule exposure to a
minimum.
© Copyright 2015
Response – traditional risk function
• Risk management unlikely to be considered.
• Unlikely to have the framework or expertise in place to provide
support.
• Making changes without considering risks could;
– Unacceptably increase risk exposure
– Increase risk exposure to inappropriate areas – critical path
• Effect may not be noticed for some time, could though be
significant.
– Important therefore that risks are considered early
© Copyright 2015
Response – enterprise risk function
• Identify processes with potential H&S consequences.
• Advice to be given on the processes with the smallest risk of
causing schedule impact.
• Allows programme manager chance to ‘step back’ and see the
bigger picture when making decisions about where to cut.
• Ongoing monitoring and reviews to make sure the strategy
remains effective.
© Copyright 2015
What Value does Enterprise Risk
Management Add?
• Allows wider context to be seen and understood
• Provides a consistent approach to risk management across
programmes & business
• Gives assurance to project managers that they are managing
risk in line with expectations
• Ensures risks are managed by the right people
• Allows for better and more proactive decision making
• Increases confidence of stakeholders
© Copyright 2015
Implementing an Enterprise Function
• Key enablers
– Executive / Programme level buy-
in
– A risk framework; reporting lines,
accountability
– Reinforcing through culture;
presentations and information
– Risk Information System
– Good risk managers!
© Copyright 2015
Conclusions
• Traditional approach to risk management limited by having a disjointed
and individualistic approach
• Enterprise risk management addresses these issues by;
– Creating a common structure and approach to risk management
– Ensuring accountability
– Communicating risk information to the right people
– Constantly reviewing both risks and risk management to make sure the
process is effective and efficient
– Using the wider business to help projects meet their target